Lucene search
K

153 matches found

Nuclei
Nuclei
added 9 hours ago91 views

Hestiacp <= 1.7.7 - Cross-Site Scripting

Cross-site Scripting XSS - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8. id: CVE-2023-3479 info: name: Hestiacp = 1.7.7 - Cross-Site Scripting author: edoardottt severity: medium description: | Cross-site Scripting XSS - Reflected in GitHub repository hestiacp/hestiacp prior to...

6.1CVSS6.1AI score0.01293EPSS
Exploits1References3
NVD
NVD
added 4 days ago6 views

CVE-2025-30008

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars encoding ...

5.1CVSS0.00181EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 4 days ago8 views

CVE-2025-30007

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in...

8.8CVSS6.6AI score0.02077EPSS
Exploits0References5
NVD
NVD
added 4 days ago9 views

CVE-2025-30007

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in...

8.8CVSS0.02077EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago34 views

CVE-2025-30008 HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars encoding ...

5.1CVSS0.00181EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago7 views

EUVD-2025-210452

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in...

8.8CVSS6.6AI score0.02077EPSS
Exploits0References4
CVE
CVE
added 4 days ago11 views

CVE-2025-30007

HestiaCP prior to 1.9.5 is affected by an authenticated OS command injection via DNS record management. The vulnerability stems from insufficient input validation in is_dns_record_format_valid() and unsafe eval-based parsing in update_domain_zone(), which can allow a low-privilege authenticated u...

8.8CVSS6.6AI score0.02077EPSS
Exploits0References4
OSV
OSV
added 4 days ago2 views

CVE-2025-30007 HestiaCP < 1.9.5 Authenticated OS Command Injection via DNS Record Management

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in...

8.7CVSS6.6AI score0.02077EPSS
Exploits0References7
NVD
NVD
added 2026/07/04 12:16 p.m.9 views

CVE-2026-12196

HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlyi...

8.3CVSS0.00256EPSS
Exploits0References2
CVE
CVE
added 2026/07/04 12:5 p.m.20 views

CVE-2026-12196

The CVE-2026-12196 entry describes a broken access control vulnerability in the HestiaCP panel cronjob feature. Low-privilege users can modify the panel cronjob to execute management scripts with passwordless sudo, enabling takeover of administrator users in the application and the underlying web...

8.3CVSS6AI score0.00256EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/04 12:5 p.m.11 views

EUVD-2026-41671

HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlyi...

8.3CVSS6AI score0.00256EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/04 12:5 p.m.36 views

CVE-2026-12196 HestiaCP Admin Takeover

HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlyi...

8.3CVSS0.00256EPSS
Exploits0References2
NVD
NVD
added 2026/05/19 2:16 p.m.11 views

CVE-2026-43633

HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP...

10CVSS0.01072EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/19 1:33 p.m.26 views

CVE-2026-43634 HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's...

8.7CVSS6AI score0.00241EPSS
Exploits0References5
CVE
CVE
added 2026/05/19 1:33 p.m.19 views

CVE-2026-43634

CVE-2026-43634 affects HestiaCP versions 1.2.0–1.9.4. The vulnerability is an IP spoofing flaw: unauthenticated attackers can send arbitrary IPs via the CF-Connecting-IP header, bypassing authentication controls and Cloudflare network verification. This can defeat fail2ban brute-force protections...

8.7CVSS6AI score0.00241EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/19 1:33 p.m.15 views

EUVD-2026-30935

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's...

10CVSS6AI score0.01072EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/19 1:29 p.m.9 views

CVE-2026-43633

HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP...

10CVSS6.2AI score0.01072EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/05/19 1:29 p.m.11 views

EUVD-2026-30933

HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP...

10CVSS6.2AI score0.01072EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.20 views

PT-2026-41897

Name of the Vulnerable Software and Affected Versions HestiaCP versions 1.9.0 through 1.9.4 Description A deserialization issue exists in the web terminal component due to a session format mismatch between PHP and Node.js. This allows unauthenticated remote attackers to achieve root-level code...

10CVSS6.3AI score0.01072EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.14 views

PT-2026-41935

Name of the Vulnerable Software and Affected Versions HestiaCP versions 1.2.0 through 1.9.4 Description An IP spoofing issue allows unauthenticated remote attackers to bypass authentication security controls. This occurs when the system accepts an arbitrary IP address provided in the...

8.7CVSS6AI score0.00241EPSS
Exploits0References9
Rows per page
Query Builder